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Our mission, vision and strategic goals 


Mission 

To uphold information rights for the UK public in the 
digital age. 

Vision 

To increase the confidence that the UK public 

have in organisations that process personal data 


and those which are responsible for making public 
information available. 


Strategic goals 
1. To increase the public’s trust and confidence in how 
data is used and made available. 


2. Improve standards of information rights practice 
through clear, inspiring and targeted engagement 
and influence. 


3. Maintain and develop influence within the global 
information rights regulatory community. 


4. Stay relevant, provide excellent public service and 
keep abreast of evolving technology. 


5. Enforce the laws we help shape and oversee. 
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Information Commissioner's foreword 


Welcome to my first annual report as the United Kingdom’s 
Information Commissioner. 


2016-17 has been a time of continuity and change for the Information 
Commissioner's Office. 


I took up my post in July 2016, taking over from Christopher Graham who 
had led the organisation so ably since 2009. I arrived as the office was 
starting to gear up for a new legislative framework for data protection 
provided by the European Union data protection reform package. The new 
General Data Protection Regulation will take effect in May 2018 and replace 
the present Data Protection Act. My office is preparing for the future in data 
protection with new processes, a comprehensive change programme and an 
education and guidance programme for stakeholders and the public. 


There was also change at the top of the organisation as I recruited a new 
Senior Leadership Team including two new Deputy Commissioners and 

a Deputy Chief Executive Officer. I intend to complete my team with the 
appointment of a new General Counsel in the summer of 2017. 


The continuity was provided by our consistently improving work to regulate 
information rights in the United Kingdom. Our casework queries continue to 
increase and we have brought more cases to a conclusion than ever before 
in both the data protection and freedom of information fields of work. 


Our highly respected helpline took more calls and our advice staff dealt with 
more written queries than the previous year while our own compliance with 
the Freedom of Information Act remained high at 98%. 


Our policy staff produced guidance and research papers on issues as 
diverse as consent and Big Data, providing specific guidance alongside 
our overarching guides to how to prepare for the General Data Protection 
Regulation next year. 


We continued to take action against nuisance calls and the misuse of 
personal data, bringing civil and criminal prosecutions against a number of 
individuals whose practices contravened individual privacy rights. 


As well as preparing for changes in data protection, we have ensured that 
the Freedom of Information Act is well regulated, guiding public authorities 
to help them meet their obligations and assisting the public by making 
decisions that provide greater transparency. My office continues to explore 
the ways in which the freedom of information regime could be enhanced with 
work underway on the potential to include outsourced public services. 


Our offices in Cardiff, Belfast and Edinburgh continued their critical outreach 
work to citizens and organisations in those Nations and Regions of the UK. 
We also opened a new London satellite office to improve our engagement 
with stakeholders based in the capital, including parliamentarians and 

the government. 
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As the laws we regulate change, there is an opportunity for us to improve 
the trust that the public feel in those who process their personal data or 
who make information available to the public. We have launched our new 
Information Rights Strategic Plan that places this trust at the heart of what 
the Information Commissioner's Office will do in the next four years. 


The digital economy is very important to the UK - personal data and how 
it is handled is central to trade and growth and studies show the digital 
economy is growing 30% faster than the rest of the economy. Data knows 
no borders. 


Continued growth and citizen confidence in the digital economy needs an 
information rights regulator that is helpful, authoritative, tech-savvy and 
practical, but also a regulator that is firm and takes action when wrong- 
doing occurs. We also continue to work with stakeholders to ensure that data 
sharing for the purposes of law enforcement and security is promoted in a 
proportionate way. 


I believe that this report shows that our improving services and productivity 
make us that regulator and I commend it to you. 


xA 


Elizabeth Denham 
Information Commissioner 
5 July 2017 
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Our major achievements and work 
this year 


Preparing for new legislation 


We continued to provide guidance and engagement for organisations in 
the public, private and third sectors as they prepared for a new legislative 
framework from 25 May 2018. 


This included publishing an overview of the General Data Protection 
Regulation (GDPR) which links to new European Union (EU) level guidelines 
and to more detailed Information Commissioner's Office (ICO) guidance 

in specific areas. We continued to contribute to the work of the Article 29 
Working Party alongside Data Protection Authorities from across the EU. 
We contributed particularly heavily to guidelines on the lead supervisory 
authority, data protection officers and data portability. 


We consulted on our first detailed guidance on the GDPR covering consent. 
We expect to publish finalised guidance in 2017 enabling businesses and 
other organisations to prepare for the new standard of consent in good time. 


We have contributed to the Article 29 Working Party Opinion on the proposed 
regulation for ePrivacy, drawing on our experience of issues arising from 
voice and electronic marketing, and raised awareness of the legislative 
process and next steps connected with this reform. 


As the UK's supervisory authority for the provision of trust services under 
the Electronic Identification and Trust Services for Electronic Regulations 
2016 (eIDAS), we published a guide for trust service providers that want 

to gain qualified status. We also developed internal procedures for granting 
qualified trust service provider status in anticipation of the end of transitional 
arrangements in July 2017. 


Tackling nuisance calls and unsolicited marketing 


In 2015 the Daily Mail and Mail on Sunday made allegations about how 
some charities were misusing people's personal data. The allegations were 
about nuisance calls, breaches of the Privacy and Electronic Communications 
Regulations 2003 (PECR), and the widespread trading and sharing of donors” 
personal details. 


Following our investigations we found that some charities had shared 
personal data with third party organisations without telling people about this 
use of their personal data. The investigation resulted in us issuing 13 civil 
monetary penalties to the value of £181,000. The Commissioner exercised 
her discretion to set a reduced level of penalty that would encourage better 
practice while not unduly distressing donors. 
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We also held 17 compliance meetings with other charities and two call 
centres about their compliance with the Data Protection Act (DPA) and PECR; 
issued advice letters to six charities; and monitored three charities with their 
compliance being assessed over a three month period. 


To help highlight good practice, along with the Charity Commission 
and the Fundraising Regulator, we held a charity fundraising conference 
in February 2017. 


The Commissioner intends to provide Parliamentarians with a wider report on 
our interventions in the charity sector. 


The ICO was represented on the Scottish Government's Nuisance Calls 
Commission, a working group aiming to find practical solutions to the 
problem of unwanted calls and develop an action plan showing how to 
deliver long term differences and reduce the impact on people’s lives. 


Our continuing work on freedom of information 


We published detailed freedom of information guidance on the exemptions 
from disclosure in the areas of defence and statutory prohibitions, and on 
advice and assistance under the Environmental Information Regulations (EIR). 


The range of authorities monitored to help in meeting their freedom of 
information responsibilities included government departments, councils and 
a police force. In addition we undertook a new initiative with most of the UK 
Departments of State, asking them to provide details of their performance in 
responding to requests for information. 


In March 2017 the Information Commissioner raised the threshold at which 
our monitoring of public authorities is triggered. Public authorities will 

now be considered for monitoring if fewer than 90% of their freedom of 
information responses fall within the statutory timescale. 


During 2016-17 we experienced increasing volumes of appeals to the 
First Tier (Information Rights) Tribunal, with 281 appeals received. 
We successfully defended over 75% of the Commissioner's decisions. 


Notable amongst these were appeals made by public authorities against 
decision notices where we had ordered disclosure of detailed information 
relating to large contracts under public finance initiatives. The contract 
documentation in each case was large and the public authorities concerned 
had not engaged satisfactorily with both their freedom of information 
obligations and our initial investigation. 


We also successfully defended an appeal against a decision notice in the 
Court of Appeal. The Commissioner had ordered the disclosure of information 
concerning one of the Department of Work and Pensions’ workfare 
programmes. The department had challenged the Upper Tribunal's findings 
on the definition of commercial interests and its approach to the public 
interest test. 
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Our continuing work on data protection 


We continued to promote our online self-assessment toolkit, 

helping small and medium sized enterprises assess their own compliance 
with data protection legislation, and have developed new content for 
GDPR implementation. 


We published a revised Privacy notices code of practice in October 2016. 
It emphasises the importance of transparency to consumer confidence and 
the growth of the digital economy. 


Our ground breaking paper on Big Data, Artificial Intelligence and Machine 
Learning, which contains practical advice on the tools that can assist 
organisations with compliance, was published in March 2017. 


The referendum on the UK's membership of the EU in June 2016, 

and more recently the calling of the general election, both highlighted the 
care needed when using personal information for political campaigning. 
The ICO engaged with the Electoral Commission and the main campaigns 
and parties, ensured that guidance on campaigning was updated and held 
events to brief the parties in advance of the general election. 


We also ran information rights awareness raising sessions with elected 
members of both the Scottish Parliament and Welsh Assembly. 


We held a series of awareness raising events in partnership with the 
Northern Ireland Council for Voluntary Action and blogs published for the 
Scottish Council for Voluntary Organisations. 


The Commissioner successfully intervened in a number of private actions 

in the Court of Appeal. In Dawson-Damer v Taylor Wessing LLP; and the 
linked cases of Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v Oxford 
University before the Court of Appeal the Commissioner successfully assisted 
the Court in its consideration of the practical application of the DPA, 
including the nature and extent of disproportionate effort, the court's 
discretion and the scope of the domestic purposes exemption. 


Medical records are sensitive personal information. We have worked with the 
National Data Guardian on her review of data security, consent and opt-outs. 
We have continued to deal with specific concerns about GP patient record 
systems having inappropriate data sharing functions, and are working with 
several health service organisations to secure necessary improvements. 


In addition medical information is valued for research purposes and we 

have worked to ensure that individuals have proper choice and control. This 
includes ongoing work around the use of analytical tools for medical research 
and the extent to which patients are aware of the use of their information. 


We have worked with Government on its cyber security regulation and 
incentives review, providing evidence to Parliament during its scrutiny of the 
issue. The review makes a number of recommendations and we are working 
with the National Cyber Security Centre and Government to play our part in 
fulfilling these. 
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In addition as the number and complexities of cyber crime related 
incidents have increased, we have restructured and expanded our civil 
enforcement team; creating a sector team dedicated to the investigation 
of cyber related incidents. 


The international work of the Commissioner 


The ICO continued to fulfil its legal obligations at the European level, 
participating in the Article 29 Working Party and other supervisory duties in 
policy areas relating to Europol, EU Customs Union, Schengen Information 
System and Eurodac. The ICO contributed to the organisation of the new 
oversight arrangements for the new Europol Regulation. 


The ICO was re-confirmed as co-chair of the Common Thread Network at 

its Annual General Meeting in October 2016. This is a new network linking 
data protection and privacy regulators from across the Commonwealth to 
further a common approach to respecting citizens’ privacy, in promoting and 
building capacity in the sharing of knowledge and good practices for effective 
data protection. 


We committed significant resource to the development of the EU-US 
Privacy Shield transfer framework. The Article 29 Opinion on the draft 
Privacy Shield adequacy decision was published on 13 April 2016. It 
expressed strong concerns. 


The European Commission's decision provides that the US ensures an 
adequate level of protection for personal data transferred to the US under 
the Privacy Shield and the scheme became operational from 1 August 2016. 
The finalised Privacy Shield requires the US to monitor and enforce more 
robustly, and cooperate more with European Data Protection Authorities. 

It includes, for the first time, written commitments and assurance regarding 
access to data by public authorities and sets up a mechanism for individuals 
to submit enquiries regarding the US signals intelligence practices. 


In October 2016 the ICO participated in the International Conference of 
Data Protection and Privacy Commissioners. We successfully presented 

a resolution on International Enforcement Cooperation, advancing the 
innovative global work to develop a more joined-up approach improving 
privacy and data protection authorities” ability to cooperate in enforcement. 


Selected key statistics 

We delivered: 

e 35 audits providing advice and recommendations; 

e 22 information risk reviews; 

e 23 follow-up audits checking that recommendations were acted upon; and 
e 58 advisory visits to small and medium sized enterprises (SMEs). 


There were over 140 responses to our Local Authority Information 
Governance Survey. The findings were published in March 2017. 
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We issued more civil monetary penalties for breaches of PECR than ever with 
23 penalties totalling £1,923,000 covering a range of unlawful marketing 
activities. One of the largest was for £270,000, served on Road Traffic 
Consult trading as Media Tactics for making 22 million unsolicited automated 
marketing calls to members of the public. 


We issued 16 civil monetary penalties totalling £1,624,500 for serious 
breaches of the data protection principles across both public and private 
sectors. The largest was a £400,000 penalty issued to Talk Talk. 


During the year there has been a 50% increase in criminal cases resulting 
in a conviction. Prosecutions for section 55 DPA offences have seen a 267% 
increase. In total we secured 21 criminal convictions: 


e Six convictions for non-notification offences (section 17 of the DPA). 


e Four convictions for failing to respond to an information notice (section 47 
of the DPA). 


e Eleven convictions for unlawfully obtaining data (section 55 of the DPA). 
e Five cautions were issued for offences under section 55 of the DPA. 


This year saw a significant increase in the number of data protection 
concerns brought to us with over 18,300 cases received; about 2,000 more 
than last year. Of these we have resolved more cases than ever before, 
closing over 17,300. 90% of cases were resolved within three months 

of receipt. 


Included in these cases were over 300 from individuals who had asked 
search engines to remove results about them; the right to be forgotten. 
We asked for results to be removed in a third of these. 


We also dealt with over 600 concerns about the use of domestic CCTV 
cameras which generally related to neighbour disputes or alleged 
harassment. We advised CCTV users on their responsibilities, especially in 
respect of operating cameras viewing beyond the user's property boundaries, 
and signposted people to other bodies where appropriate. 


The number of complaints about freedom of information was similar to the 
previous year with over 5,400 new cases received and 5,100 closed during 
the year. 67% of cases received a decision within three months and over 
88% of cases were concluded within six months of receipt. We issued 1,329 
formal decision notices. 


In total our casework teams have looked at 21,393 individual concerns 
during this financial year. 


As of the 31 March 2017 the ICO had 472 staff (439 full time equivalents) with 
69 new staff having joined us during the year as the volume of work coming 
into the office increases and preparations for GDPR and LED commence. 


We trained 298 members of staff on information rights legislation and 31 
staff successfully obtained the BCS Data Protection qualification. 
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Operational performance 


Data protection concerns 


Received 


2015-16 


2016-17 


Finished 


17,335 


Caseload 
1,848 31 March 2016 
2,809 31 March 2017 


Age distribution of caseload as at 31 March 2017 


70% 
60% 
50% 
40% 
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20% 
10% 

0% 


5:7% —0.8% — 1% — 


0-30 days 31-90 days 91-180 days 181-365 days 366+ days 
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Age distribution of finished concerns 


2015/16 2016/17 


30 days or less 50% 32% 


90 days or less 92% 90% 


180 days or less 98.6% 98.5% 


60% 


40% 


20% 


1.1% 


0.1% 


0.2% 


0% 


0-30 days 31-90 days 91-180 days 181-270 days 271-364 days Over 1 year 


Outcomes of concerns finished 


No action for DC* 


DC action required 


Concern to be raised with DC 


Compliance advice given to DC 


Response needed from DC 


General advice given to DC 


Not DPA 


DC outside UK 


Improvement Action Plan agreed 


0 1000 2000 3000 4000 5000 


*Data Controller 


DC action required, Compliance advice given to DC, General advice given to 
the DC and action plan agreed, are all outcomes that result in us explaining 
to organisations how to improve their information rights practise in some 
way. These outcomes equal 39% of the total for the year. Concerns finished 
with the following outcomes — order made, no order made, enforcement 
notice pursued, criminal investigation pursued, and undertaking served 
represented 0.2% of total. 


6000 
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Areas generating most concerns where sector Reasons generating most concerns where nature 
is specified is specified 


2015/16 2016/17 2015/16 2016/17 
General business Subject access 
Health Disclosure of data 
Local government Inaccurate data 
Lenders Security 
Central government Right to prevent processing 


Policing and Criminal Use of data 

Education Fair processing 

Telecoms Obtaining data 

Internet Excessive / Irrelevant data 
Other individuals Retention of data 


Freedom of information complaint casework 


Finished Caseload 
955 31 March 2016 
1,216 31 March 2017 


Age distribution of caseload as at 31 March 2017 


Received 


45% 
40% 
35% 
30% 
25% 
20% 
15% 
10% 

5% 

0% 


0-30 days 31-90 days 91-180 days 181-270 days 271-365 days 


Age distribution of finished complaint casework 


60% 
2015/16 2016/17 
AO 30 days or less 48% 45% 
90 days or less 71% 67% 
20% 


180 days or less 92% 88% 


365 days or less 99.7% 99.1% 


2.6% 0.9% 


0-30 days 31-90 days 91-180 days 181-270 days 271-364 days Over 1 year 


0% 
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Areas generating most complaint casework where sector 
is specified 


2015/16 
40% 


2016/17 
39% 


Local Government 
Central Government 
Police & criminal justice 


Health 
Education 
Private companies 


Outcomes of complaint casework finished 


Complaint made too early 
(no internal review) 


Decision notice served 


Informally resolved 


Ineligible complaint 


Complaint not progressed 


0% 200 400 600 


Appeals to the Information Rights Tribunal 


Received 


275 
281 


Finished 


Outcome of complaint casework where a decision notice 
is served 


2015/16 
1,376 


2016/17 


Total served 1,329 
Upheld 

Not upheld 
Partially upheld 


323 (24.3%) 
787 (59.2%) 
219 (16.5%) 


330 (24%) 
851 (61.8%) 
195 (14.2%) 


HH 15/16 
H 16/17 


800 1000 1200 1400 1600 1800 
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Open caseload as at 31 March 2017 


First tier Tribunal 
Upper Tribunal 
Court of Appeal 


High Court - Judicial review applications 


100 150 200 


Outcomes of Appeals finished in 2016/17 


Dismissed 
Withdrawn 18.1% 
Part Allowed 
Allowed 
Struck out 
Consent order 


Other 


0 20 40 60 80 100 120 140 


* Part allowed appeals fall into two broad categories: first, those appeals 
where the Commissioner has made a decision on a number of exemptions or 
exceptions and the Tribunal disagrees with her decision in relation to some 
but not all of those conclusions, and therefore overturns parts, but not all, 
of her findings. 


Second, are those cases where an exemption or exception has not been 
raised with the Commissioner during her investigation but is raised for the 
first time on appeal. Whilst not considered in the Commissioner's Decision 
notice, the Tribunal will on occasion find such late pleaded exemptions or 
exceptions compelling, and may again find that the original decision was 
sound, but that part of the appeal should be allowed in light of the novel 
arguments raised on appeal. 
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Advice services 
Calls to the helpline 


Calls received 


2015/16 204,700 


2016/17 189,942 


Calls answered 


180,494 


Call answer rates 


Percentage answered 95% 


Average wait time 59 seconds 


Live chat 


Chats requested 


Chats answered 


Call answer rates 


Percentage answered 97% 


Average wait time 4 seconds 


Written advice 
Finished 


2015/16 


2016/17 


Caseload 


31 March 2016 137 
31 March 2017 115 
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Age distribution of finished advice work 


2015/16 2016/17 


7 days or less 41% 75% 


14 days or less 78% 88% 


30 days or less 99% 98% 


Profile of advice service 


78% of our enquiries are about the DPA, 14% PECR, 6% FOIA and 2% 
are hybrid. 


approximately 75% of our enquires are from members of the public and 
25% are from those we regulate. 


half our customers have visited ico.org.uk before contacting us for advice. 


3% of the enquiries received are sent to us in error. 


Self reported incidents — data protection 


Received 


Finished 
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Outcomes of self reported incidents finished 


Miss 
Ml 16/17 


No action 
for DC* 


DC action 
required 


Improvement 
Action plan agreed 


Civil Monetary 
Penalty persued 


| 
0 200 400 600 800 1000 1200 1400 1600 1800 


*Data Controller 


Self reported incidents finished with the following outcomes — undertaking 
served, not DPA, advisory visit recommended, compliance audit 
recommended, enforcement notice pursued, DC outside UK and criminal 
investigation pursued represented 1.8% of the total. 


Sectors generating most self reported incidents 


Health 41% 
11% Local government 
9% General business 

6% Education 

4% Solicitors/Barristers 

4% Charities 

4% Policing & criminal records 

2% Housing 

2% Financial advisors 

2% Central government 

2% Lenders 

2% Telecoms 

2% Retail 

1% Regulators 

1% Insurance 

1% Social services 

1% Internet 

1% Clubs/Associations 

1% Pensions 

1% Courts/Justice system 
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Types of incidents generating most reports 


Other principle 7 failure 20% 

15% Data posted or faxed to incorrect recipient 
Loss/theft of paperwork 14% 

Cyber incident 

11% Data sent by email to incorrect recipient 

7% Failure to redact data 


PECR concerns 


Concerns reported 


2015/16 2016/17 


Cookie concerns reported 210 195 


Nature of telesales and SPAM texts reported 


SPAM texts 


Telesales call 
where I heard 


11% 
Telesales call a recorded voice 
0 
where I spoke 49% 
to a person 
40% 


7.1% 


E 
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Self reported incidents under PECR 


Types of incidents generating most reports 


Other principle 7 failure 


11% Data sent by email to incorrect recipient 
9% Data posted / faxed to incorrect recipient 
5% Verbal disclosure 


Information access 


Requests received 


Requests completed 


21.1% 


Requests by legislation 


EIR 


FOIA 


Soo Hybrid 
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Response times 


Time for compliance 


Average time (days) 


Request outcomes 


Information provided 
in full 


Information partially 
provided 


Information 
witheld 


Information 
not held 


Further clarification 
needed 


Misguided 
request 


Withdrawn 


0% 


100 


200 


300 
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400 
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Internal reviews 


Reviews completed 


Response times 
2015/16 2016/17 
Completed in 20 days 31 45 
Average days 17 16 
Review outcomes 


M 15/16 
E 16/17 


Not upheld 


Partially upheld 


50 60 


We also responded to 289 subject access requests from people wanting to 
confirm if their details were included on the construction industry blacklist 
seized in 2009 from The Consulting Association. 
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Sustainability 


Overall strategy 


The majority of ICO staff are based near Manchester in one leased building. 
The building was refurbished in 2010 and the ICO invested in the most 
appropriate environmental solutions available at that time. The building has 
a government energy performance operating rating of 62. A rating below 
100 is an above average (positive) outcome. 


The ICO continues to expand as it takes on wider duties, with the 
implementation of the GDPR and LED having a major effect on staffing levels 
during 2017-2018 and 2018-2019. The increase in staff numbers should 
reduce scope 1 and 2 emissions per full time equivalent staffing but at the 
same time could increase scope 3 (travel) emissions. 


During 2017-2018 we are introducing a centralised travel and 
accommodation booking service. This will provide more accurate information 
on office travel, better informing the office of the impact of travel decisions 
on green house gas emissions. 


Performance 


The ICO’s sustainability performance is detailed below. In general terms 
there is a gradual overall decline in CO2 emissions against a background of a 
growing and changing organisation which makes future projections difficult. 


Biodiversity action planning 
The ICO is not responsible for any outside space and does not have a 


biodiversity plan. 


Sustainable procurement 


We ask those tendering for contracts to provide their sustainability 
statements and policies as standard in most procurement exercises. 
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Green house gas emissions 


Total tonnes CO, 

2013/14 2014/15 2015/16 2016/17 
Scope 1 (gas) 10 9 18 7 
Scope 2 (electricity) 209 238 160 123 
Scope 3 (travel) 44 67 94 86 
Total emissions 263 314 273 217 
Tonnes CO, per full time equivalent staffing 

2013/14 2014/15 2015/16 2016/17 
Scope 1 (gas) — 0.03 | 0.02 0.04 0.02 
Scope 2 (electricity) 0.59 0.65 0.39 0.30 
Scope 3 (travel) 0.12 0.19 0.23 0:21 
Total 0.74 0.86 0.67 0.53 
Waste minimisation and management and finite resource consumption 
Total waste, water and paper consumption 

2013/14 2014/15 2015/16 2016/17 
Waste 7 Tonnes iaa 8 AR 16 16 
Water consumption / m? 2,196 2,791 2,100 2,382 
A4 paper / reams 3,580 3,540 3,700 4,000 
Waste, water and paper consumption per full time equivalent staffing 

2013/14 2014/15 2015/16 2016/17 
Waste / tonnes 0.02 0.03 0.04 0.04 
Water consumption / m? 6.20 7.68 5.14 5.82 
A4 paper / reams 10.11 9.74 9.06 9.78 
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Details of ICO performance: 


Total travel 

2013/14 2014/15 2015/16 2016/17 
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Travel per full time equivalent staffing 
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Total utilities 


2013/14 2014/15 2015/16 2016/17 
Gas ron oros s$sss$s$sS$s$srrssrss$.$s$<”$s$s$ns$—oa. 
Kwh 56,941 47,569 99,146 37,336 
Cost £ 2,271 1,775 3,703 1,606 
Tonnes CO, 10 9 18 7 
Electricity 
Kwh 432,199 443,299 319,493 246,219 
Cost £ 62,561 66,959 64,957 50,238 
Tonnes CO, 209 238 160 123 
Utility summary 
Cost £ 64,832 68,734 68,660 51,844 
Tonnes CO, 219 247 178 130 
Utilities per full time equivalent staffing 

2013/14 2014/15 2015/16 2016/17 
Gas raras ee es 
Kwh 160.85 130.68 242.65 91.29 
Cost £ 6.42 4.88 9.06 3.93 
Tonnes CO, 0.03 0.02 0.04 0.02 
Electricity 
Kwh 1,221 1,218 782 602 
Cost £ 176.72 183.95 158.97 122.83 
Tonnes CO, 0.59 0.65 0.39 0.30 
Utility summary 
Cost £ 183.14 188.83 168.04 126.76 
Tonnes CO, 0.62 0.68 0.44 0.32 


Notes: 


e Information on waste is provided by the contractors. 


e Travel costs and mileage are collated from central records and from 
staff directly. 


e The information is collated quarterly and if figures are not consistent with 
expectations they are checked. 


e Figures may not add due to rounding. 
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The legislation we regulate 


The Data Protection Act 1998 (DPA) gives citizens important rights 
including the right to know what information is held about them and the 
right to correct information that is wrong. The DPA helps to protect the 
interests of individuals by obliging organisations to manage the personal 
information they hold in an appropriate way. 


The Freedom of Information Act 2000 (FOIA) gives people a general 
right of access to information held by most public authorities. Aimed at 
promoting a culture of openness and accountability across the public sector, 
it enables a better understanding of how public authorities carry out 

their duties, why they make the decisions they do and how they spend 
public money. 


The Privacy and Electronic Communications Regulations 2003 (PECR) 
support the DPA by regulating the use of electronic communications for the 
purpose of unsolicited marketing to individuals and organisations, including 
the use of cookies. 


The Environmental Information Regulations 2004 (EIR) provide an 
additional means of access to environmental information. The Regulations 
cover more organisations than the FOIA, including some private sector 
bodies, and have fewer exceptions. 


The Infrastructure for Spatial Information in the European 
Community Regulations 2009 (INSPIRE) give the Information 
Commissioner enforcement powers in relation to the pro-active provision 
by public authorities of geographical or location based information. 


The Data Retention Regulations 2014 (DRR) provided the Information 
Commissioner with a limited supervisory role under the Data Retention 

and Investigatory Powers Act 2014 (DRIPA). This Act was repealed 

on 31 December 2016 but the ICO’s duties have been carried forward 

to the Investigatory Powers Act 2016 (IPA). The Acts impose duties 

on communications service providers in respect of the retention of 
communications data for third party investigatory purposes where they 
have been issued with a notice from the Secretary of State. The Information 
Commissioner has a duty to audit the security, integrity and destruction of 
that retained data. 


The Re-use of Public Sector Information Regulations 2015 (RPSI) 
gives the public the right to request the re-use of public sector information 
and details how public sector bodies can charge for re-use and licence the 
information. The ICO deals with complaints about how public sector bodies 
have dealt with requests to re-use information. 


The Electronic Identification and Trust Services for Electronic 
Regulations 2016 (eIDAS) facilitate secure streamlined electronic 
transactions between businesses, individuals and public authorities in the 
EU and set out requirements that trust service providers must comply with. 
The ICO, as the UK’s designated Supervisory Authority for eIDAS, can grant 
qualified status to those providers who comply with extra requirements set 
out in the Regulations. The ICO also has powers of enforcement. 


34 Overview: The legislation we regulate 


Annual Report 2016/17 Performance Report B 


Going concern 


The accounts are prepared on a going concern basis as a non-trading entity 
continuing to provide statutory public sector services. 


Grant in aid has already been included in the Department for Culture, Media 
and Sport's (DCMS's) estimate for 2017-18, and the Digital Economy Act 
2017 has enshrined in law the ICO’s ability to fund data protection-related 
work through fees paid by data controllers from April 2018 onwards. There is 
no reason to believe that future sponsorship and parliamentary approval will 
not be forthcoming. 


Operational performance summary 


The ICO's overall productivity for our data protection, freedom of information 
and self reported breach work is up on last year with data protection 
closures in particular increasing by 1,637 (10%). Freedom of information, 
written advice and enforcement work also continued an upwards trend. 


Our policy and liaison teams have also seen increased workloads as a result 
of the higher volume of cases requiring their input, greater international 
engagement and preparation for the implementation of the GDPR and LED. 


Enforcement and investigations work also show increases in most areas with 
major investigations into the work of private investigators acting on behalf 
of corporate clients and the automotive repair industry, amongst others, 
ongoing during the year. 
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Financial performance summary 


Grant in aid 


Freedom of information expenditure continued to be funded by grant in aid. 
The grant in aid for 2016-17 was £3,750k (2015-16: £3,750k). 


No grant in aid was carried forward in 2016-17 (2015-16: nil). 


Fees 


Data protection activities are financed by fees collected from data controllers 
who have to notify their processing of personal data under the DPA. 

The annual fee is £35, unchanged from its introduction in 2000. It applies to 
charities and small organisations with fewer than 250 employees. In 2009 

a higher fee of £500 was introduced for larger data controllers defined as 
those with an annual turnover of £25.9 million or more and employing more 
than 250 people. For public authorities employing more than 250 people the 
fee is also £500. 


Fees collected in the year totalled £19,729k (2015-16: £18,311k); 
a 7.7% increase on the previous year. 


The ICO is allowed to carry forward into the following financial year funds 
that are necessary to meet any liabilities arising in the preceding financial 
year, such as creditors. £116k (2015-16: £1,742k) has been carried forward 
into 2016-17, along with an additional amount of £172k (2015-16: £158k) 
as uncleared cash in transit which was not available for spend. 


Annual expenditure 
The total comprehensive expenditure for the year was £4,504k 
(2015-16: £5,255k). 


Financial instruments 


Details of our approach and exposure to financial risk are set out in 
note 8 to the financial statements. 


Aé — 


Elizabeth Denham 
Information Commissioner 
5 July 2017 
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Directors” report 


Directorships and other significant interests held 
by Board Members that may conflict with their 
management responsibilities 


Membership of the ICO Management Board, along with further information, 
is detailed in the Governance Statement. 


A register of interests is maintained for the Information Commissioner and 
her Management Board. It is published on the Commissioner's website 

at www.ico.org.uk. Declarations of interest in any of the items coming to 
a particular meeting are also asked for at Board, Audit Committee and 
Remuneration Committee meetings. 


Employee involvement and well being 


The ICO has a policy of co-operation and consultation with recognised trade 
unions over matters affecting staff, and senior managers regularly meet with 
trade unions to discuss issues of interest. In addition staff involvement in the 
work of the office is actively encouraged as part of the day-to-day process of 
line management. 


Equal opportunities and diversity 


We aim to ensure that all members of society have awareness of, and access 
to, their information rights and receive appropriate protection if their rights 
are infringed. To do this we have sought to include equality and diversity in 
our daily work. 


Our Equality and Diversity Committee and Senior Leadership Team oversee 
our efforts to provide an increasingly accessible service. As part of this we 
have improved the co-ordination of reports on equality based activity, giving 
a better picture of how we meet the aims of the Equality Act and in turn 
enabling us to publish our Annual Equality Report. 


We have also provided our staff with a work environment and IT systems 
which help meet a range of needs; including accessible offices and IT 
systems, flexible and part-time working to help work-life balance and the 
provision of occupational health services. 


We aim to recruit from a range of backgrounds and take the applicant 
anonymous approach when assessing candidates for employment. 


The community 


This year ICO staff chose to support the charity Dyslexia Action and raised 
almost £4,000. 
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Pension liabilities 


Details regarding the treatment of pension liabilities are set out in note 3 to 
the financial statements. 


Personal data incidents 


There have been no substantive security incidents during 2016-17. 


Public sector information holders 


The ICO has complied with the cost allocation and charging requirements set 
out in HM Treasury guidance. 


Annual accounts and audit 


The annual accounts have been prepared in a form directed by the Secretary 
of State with the consent of the Treasury in accordance with paragraph (10) 
(1)(b) of Schedule 5 to the DPA. Under paragraph (10)(2) of Schedule 5 

to the DPA the Comptroller and Auditor General is appointed auditor to the 
Information Commissioner. The cost of audit services for this year was £30k 
(2015-16: £32.50k). No other assurance or advisory services were provided. 


So far as the Accounting Officer is aware there is no relevant audit 
information of which the Comptroller and Auditor General is unaware, and 
the Accounting Officer has taken all the steps that she ought to have taken 
to make herself aware of relevant audit information and to establish that the 
Comptroller and Auditor General is aware of that information. 


Directors’ statement 
Each of the persons who are directors at the time this report is approved: 


(a) so far as the director is aware there is no relevant audit information 
of which the auditor is unaware; and 


(b) the director has taken all the steps they ought to have taken as a 
director in order to make themselves aware of any relevant audit 
information and to establish that the auditor is aware of that information. 
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Statement of the Information 
Commissioner's responsibilities 


Under paragraph 10(1)(b) of Schedule 5 to the DPA the Secretary of State 
has directed the Information Commissioner to prepare for each financial year 
a statement of accounts in the form and on the basis set out in the Accounts 
Direction. The accounts are prepared on an accruals basis and must give a 
true and fair view of the state of affairs of the Information Commissioner 

at the year end and of her income and expenditure, recognised gains and 
losses and cash flows for the financial year. 


In preparing the accounts the Information Commissioner is required to 
comply with the requirements of the Government Financial reporting Manual 
(FReM) and in particular to: 


e observe the Accounts Direction issued by the Secretary of State with 
the approval of the Treasury, including the relevant accounting and 
disclosure requirements, and apply suitable accounting policies on a 
consistent basis; 


e make judgements and estimates on a reasonable basis; 


e state whether applicable accounting standards as set out in the FReM 
have been followed, and disclose and explain any material departures in 
the financial statements; and 


e prepare the financial statements on the going concern basis, unless it is 
inappropriate to presume that the Information Commissioner's Office will 
continue in operation. 


The Accounting Officer of the DCMS has designated the Information 
Commissioner as Accounting Officer for her Office. The responsibilities of an 
Accounting Officer, including responsibility for the propriety and regularity of 
the public finances and for keeping of proper records and for safeguarding 
the Information Commissioner's assets, are set out in the Non-Departmental 
Public Bodies” Accounting Officer Memorandum, issued by the Treasury and 
published in Managing Public Money. 


The Accounting Officer has confirmed that the annual report and accounts 
as a whole is fair, balanced and understandable and that she takes personal 
responsibility for the annual report and accounts and the judgements 
required for determining that it is fair, balanced and understandable. 
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Governance statement 


Introduction 


The Information Commissioner is a corporation sole as established 

under the DPA. Under the terms of the EU Data Protection Directive the 
Information Commissioner and her office must be completely independent of 
Government. I am accountable to Parliament for the exercise of my statutory 
functions and the independence of the ICO is enshrined in legislation. 


Relationship with the Department for Culture, Media and Sport 


The DCMS is the sponsoring department for the ICO. The relationship with 
the department is governed by a draft Management Agreement which sets 
out our responsibility to support the work of both organisations and to help 
ensure my independence and that of my office. The draft agreement also 
ensures that appropriate reporting arrangements are in place to enable the 
DCMS to monitor the expenditure of public money allocated to the ICO. 


The DCMS has policy responsibility for the DPA and its associated legislation. 
The Cabinet Office had policy responsibility for the FOIA. 


Management Board 


I have a Management Board to support me in the role of Accounting Officer. 
The Board is responsible for developing strategy, monitoring progress in 
implementing strategy, providing corporate governance and assurance and 
for managing corporate risks. The Board comprises myself, two Deputy 
Commissioners, a Deputy Chief Executive Officer, and up to four non- 
executive members. 


The Board meets quarterly and considers risk management as well as 
reports on operational, financial, organisational and corporate issues. 

It also received reports from my Audit Committee, Remuneration Committee 
(now disbanded), and Senior Management Team (now the Senior 
Leadership Team). 
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In the course of 2016-17 there were major changes in ICO 
senior management: 


e Christopher Graham's tenure as Information Commissioner ended on 
29 June 2016. Simon Entwisle, as Deputy Commissioner, took on the 
responsibilities of the Commissioner pending my tenure commencing on 
18 July 2016. 


e Steve Wood was made interim Deputy Commissioner as of 30 June 2016, 
to support both Simon Entwisle and then me in the role of Commissioner 
until shortly after the appointment of Rob Luke as my Deputy 
Commissioner (Policy) in February 2017. 


e As part of the management reorganisation Paul Arnold was appointed 
interim Deputy Chief Executive Officer as of 3 January 2017. His position 
was subsequently made permanent following a full and open 
recruitment exercise. 


e There were also changes to the Non-executive Directors. lan Watmore 
stood down in the Summer 2016 and Jane McCall and David Cooke were 
both appointed to the two vacant positions. 


The table below details attendance at the Management Board meetings 
during the year. 


i rer 25-Apr-16 25-Jul-16  3rOcti6 | 06-Feb-17 
Christopher Graham 1 

eee o : 
eee poms vase ema 
Sein di dn so Ee 
O pas e ; 
A ied aaa 
eater ae faa ee : 
RR un pedaço o 
A ro sive ce ; 
di no : 
O O as 


Notes 


End of tenure 29 June 2016 


Beginning of tenure 18 July 
2016 


From 27 June 2016 to 31 
March 2017 


Appointed 30 January 2017 


Appointed 3 January 2017 


Stood down 30 September 
2016 


Appointed 31 October 2016 


Appointed 31 October 2016 
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Audit committee 


The Audit Committee meets quarterly and provides scrutiny, oversight and 
assurance in respect of risk control and governance. Up to its June 2016 
meeting the Committee consisted of Ian Watmore as chair of the Committee, 
Ailsa Beaton as the other non-executive member and Roger Barlow as the 
independent member. On Ian's departure Ailsa Beaton was appointed chair 
and Jane McCall was appointed as a non-executive member. 


The table below shows attendance of Audit Committee members at the 
meetings during the year. 


Dates 06-Jun-16 12-Sep-16 12-Dec-16 07-Mar-17 Notes 

Tan Watmorè 1 1 Chair to the September 
A OO 2016 meeting 

Roger Barlow 1 1 1 1 
NN o bn ia 
A: ad o 2016 meeting 

Jane McCall 1 


Both external and internal auditors attend the Audit Committee and have 
pre-meetings with Committee members. 


The Audit Committee has published its own Annual Report for 2016-17 on 
the ICO website (www.ico.org.uk). The report states that the Committee is 
satisfied with the quality of internal and external audit and believes that it 
is able to take a measured and diligent view of the quality of the systems of 
reporting and control within the ICO. 


Remuneration committee 


The Board was supported by a Remuneration Committee consisting of two 
non-executive Board members, Ailsa Beaton (chair) and Nicola Wood. The 
Committee met on the 18 May 2016. Since then Management Board has 
confirmed a decision to disband the Committee, subsuming its role into that 
of the Management Board. 


Senior management team and senior leadership team 


The Senior Management Team provided day-to-day leadership for the ICO 
and as such was responsible for developing and delivering against the 
information rights strategy and the ICO Plan. The Team consisted of me, 
my Deputy Commissioners, Deputy Chief Executive Officer and Heads of 
Department. It met fortnightly with its last meeting on 23 January 2017. 


As part of the reorganisation of the governance structure, from February 
onwards the Senior Management Team was replaced as the body responsible 
for providing day to day leadership of the ICO by my Senior Leadership 
Team. This team consisted of me, my Deputy Commissioners and my Deputy 
Chief Executive Officer. 


Accountability report: Governance statement 43 


O Accountability Report Annual Report 2016/17 


Board effectiveness 


Given the major changes in Board membership during the year the Board considered it more 
appropriate to evaluate its own performance formally at a later stage. 


The Management Board has previously considered its compliance with the 
“Corporate governance in central government departments: Code of good 
practice 2011”. The ICO does not fully comply with the code, but the Board 
consider that there are good reasons for this given the size and nature of the 
organisation as a corporation sole. In particular: 


e the Board does not have the powers and duties of a Board in which is 
vested the ultimate authority of the organisation. This is because the 
Commissioner is the ‘corporation’; 


e the Board does not have a lead non-executive director, but given the size 
of the Board and the ICO and its responsibilities, this is not felt necessary; 


e non-executive members do not have a specific section in the ICO’s Annual 
Report but this is not currently considered necessary; 


e composition of the Board reflects the nature, responsibilities and size of 
the ICO; 


e the ICO does not have a Nominations and Governance Committee but 
the Board's focus on governance, and its taking on of the previous 
Remuneration Committee's overview of remuneration policies in general is 
considered to provide the necessary coverage; and 


e in respect of an operating framework the Board operates within the 
overall system of corporate governance at the ICO and has recently 
agreed revised terms of reference. 


The Board has recently reviewed the information it receives and is satisfied 
with its quality. The format of papers coming to the Board is being revised to 
better reflect the new management and governance structures now in place. 


Issues and highlights 

The ICO’s corporate governance structure has considered various issues of 

substance during the course of the year. These include: 

e the impact of the June 2016 referendum on EU membership on the work 
of the ICO and on introduction of the GDPR in May 2018; 


e ICO preparedness for the implementation of GDPR as the likely regulator 
of the new data protection legislation from May 2018; 


e management and governance reorganisation and the recruitment and 
induction of a new Senior Leadership Team; 


e the setting up of a grants scheme; and 
e an updated Information Rights Strategy. 
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A risk assessment 


Risks are regularly reviewed by senior managers with a major review 
each spring. The risk register is also discussed at Management Board, 
Audit Committee and at quarterly meetings with the DCMS, 

our sponsoring department. 


The main risks identified during the 2016-17 year related to: 


Change 

e the ICO is preparing to implement the GDPR and the Law Enforcement 
Directive in May 2018, both of which will have a large impact on the work 
of the ICO and how we regulate data protection compliance. 


e the ICO has welcomed a new Commissioner, Elizabeth Denham, and a 
new Senior Leadership Team. There have been subsequent changes to the 
management and governance structures. 


ICO relevance 

e the ICO covers a range of issues and prioritises on the basis of 
information risk. In doing so there is a risk that we do not properly 
understand or reflect the concerns of stakeholders and that we are seen 
as not being relevant. 


Resources 

e the ICO is preparing to implement the GDPR and the LED. We have been 
working with DCMS to ensure finances for 2017-18 are in place to allow 
us to adequately prepare for the change, and then from 2018-19 onwards 
to implement the new legislation. 


The main area of uncertainty for the future relates to implementation of the 
GDPR and LED in May 2018. In particular: 


e changing internal processes and procedures and making sure we have 
the right staff in the right place to provide advice and to enforce the GDPR 
and LED. 


e providing guidance on the requirements of the GDPR and LED 
for data controllers, and explaining to the public their rights under 
the new legislation. 


e introducing a new robust fee system to finance data protection work. 


Sources of assurance 


As Accounting Officer I have responsibility for reviewing the effectiveness 

of the system of internal control, including the risk management framework. 
My review is informed by the work of the internal auditors and the Senior 
Management and Leadership Team members who have responsibility for the 
development and maintenance of the internal control framework, 

and comments made by the external auditors in their management letter 
and other reports. In their annual report, our internal auditors have given 
an overall assurance that they are satisfied that sufficient internal audit work 
has been undertaken to allow them to draw a reasonable conclusion as to 
the adequacy and effectiveness of the ICO’s risk management, 

governance and control processes. 


I have been advised on the implications of the result of my review by 

the Board and the Audit Committee. I am satisfied that a plan to address 
weaknesses in the system of internal control and ensure continuous 
improvement of the system is in place. I am also satisfied that all material 
risks have been identified and that those risks are being properly managed. 
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Remuneration policy (audited) 


Schedule 5 to the DPA provides that the salary of the Information 
Commissioner is to be specified by a Resolution of the House of Commons 
and on 24 November 2008 the House of Commons resolved that in respect of 
service after 30 November 2007 the salary of the Information Commissioner 
should be £140,000 pa. The salary of the Information Commissioner is paid 
directly from the Consolidated Fund in accordance with the Schedule. 


Prior to 1 September 2013 the remuneration of staff and other officers 
was determined by the Information Commissioner with the approval of 
the Secretary of State. Following commencement of Section 108 of the 
Protection of Freedoms Act such decisions are now made in consultation 
with the Secretary of State and treasury. 


In making decisions on remuneration the Information Commissioner has 
regard to the following considerations: 


e the need to recruit, retain and motivate suitably able and qualified people; 
e government policies for improving the public services; 

e the funds available to the Information Commissioner; and 

e Treasury pay guidance. 


Prior to the Remuneration Committee's role being subsumed within that of 
the Management Board, it considered and advised the Management Board on 
remuneration policies and practices for all staff, and on behalf of the Board, 
determine appropriate remuneration for the Deputy Commissioners and the 
Deputy Chief Executive Officer. 


Unless otherwise stated, staff appointments are made on merit on the basis 
of fair and open competition and are open-ended until normal retiring age. 
Early termination, other than for misconduct, should result in the individual 
receiving compensation as set out in the Civil Service Compensation Scheme. 


Non-executive Directors are paid an annual salary of £12,000 and are 
appointed for an initial term of three years, renewable by mutual agreement 
for one further term of a maximum of three years. 
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Remuneration and staff report 


Salary and pension entitlements 

Details of the remuneration and pension interests of the Information 
Commissioner and his most senior officials are provided below. 

Remuneration (salary, bonuses, benefits in kind and pensions) (audited) 


Single total figure of remuneration 


Benefits in Compensation Pension 
Salary kind (£'000) schemes benefits 
Officials (£’000) (-nearest £100) (£'000) (£’000)! Total (£’000) 
2016/ 2015/ 2016/ 2015/ 2016/ 2015/ 2016/ 2015/ 2016/ 2015/ 
17 16 17 16 17 16 17 16 17 16 
Elizabeth 
Denham 
Information RE 00 175- 
c ripe (full year = 41.6 — — — 35-40 = — 
ommissioner 140-145) 180 
& Chief 
Executive 
Christopher 
Graham 30-35 
Information (full year 140- = = = = E _ 190- 
Commissioner 140-145) 145 of 5058 30535 200 
& Chief 
Executive E 
Simon 
Entwisle 
Director of 95-100 90-95 0.1 0.1 = = 3605 aguas. Ci des 
É 120 135 
Operations/ 
Deputy CEO 


Paul Arnold 
É 60-65 (full 
Deputy Chief year 80- _ = = = — 25-30 — 95-100 — 
Executive 85) 
Officer 


Rob Luke 10-15 
Deputy (full year 
Commissioner 80-85) 
(Policy) 


Steve Wood 
Interim 
Deputy 65-70 = = — — — 40-45 = — 
Commissioner 

(Policy) 


David Smith 
Deputy 
Commissioner 
& Director 

for Data 
Protection 


70-75 
— (full year — 0.1 — — — 55-60 — 
90-95) 
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Single total figure of remuneration 


Benefits in 
kind (£’000) 
(-nearest £100) 


Graham Smith 


Deputy 
Commissioner 
& Director for 
Freedom of 
Information 


Ailsa Beaton 
Non-Executive 
Board Member 


Nicola Wood 
Non-Executive 
Board Member 


David Cooke 
Non-Executive 
Board Member 


Jane McCall 
Non-Executive 
Board Member 


Andrew Hind 
Non-Executive 
Board Member 


Ian Watmore 
Non-Executive 
Board Member 


Salary 
(£'000) 
2016/ 2015/ 
17 16 
50-55 
— (full year 
90-95) 
10-15 10-15 
10-15 10-15 
5-10 (full 
year 10- — 
15) 
5-10 (full 
year 10- — 
15) 
5-10 
— (full year 
10-15) 
5-10 (full 
year 10- 10-15 
15) 


2016/  2015/ 
17 16 


* Includes benefits accrued prior to ICO employment. 


Compensation 

schemes 

(£'000) 

2016/ 2015/ 
17 16 


Pension 
benefits 
(£’000)! 
2016/ 2015/ 
17 16 
— 15-20 


Total (£’000) 
2016/  2015/ 
17 16 
— 60-70 
10-15 10-15 
10-15 10-15 
5-10 — 
5-10 — 
— 5-10 
5-10 10-15 
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The value of pension benefits accrued during the year is calculated as the 
real increase in pension multiplied by 20 plus the real increase in any lump 
sum, less the contributions made by the individual. The real increases 
exclude increases due to inflation or any increase or decrease due to a 
transfer of pension rights. 


Salary comprises gross salary and any other allowance to the extent that it 
is subject to UK taxation. Bonus payments of £89 were made in 2016-17 to 
two Board Members. 


A relocation package of up to £50k to be paid by the ICO was agreed to 
cover Elizabeth Denham’s relocation expenses. The actual spend from 
this allocation has been reflected as a benefit in kind. All other benefits in 
kind relate to the organisation's contribution to the ICO's health care plan 
provided by BHSF. 


Pay multiples (audited) 


Reporting bodies are required to disclose the relationship between the 
remuneration of the highest paid director in their organisation and the 
median remuneration of the organisation's workforce. The Information 
Commissioner is deemed to be the highest paid Director and no member of 
staff receives remuneration higher than the highest paid Director. 


The banded remuneration of the highest paid director of the ICO in the 
financial year 2016-17 was £140k to £145k (2015-16: £140k to £145k). 
This was 5.6 times (2015-16: 5.7 times) the median remuneration of 

the workforce, which was £24,911 (2015-16 £24,651). The median total 
remuneration is calculated by ranking the annual full time equivalent salary 
as at 31 March 2017 for each member of staff. To allow comparability, 
remuneration of the highest paid director excludes the one-off benefits-in- 
kind package of £41.6k disclosed in the table on page 47. 


Staff remuneration ranged from £16,428 to £140,000 (2015-16: £16,328 
to £140,000). 


Total remuneration includes salary, non-consolidated performance-related 
pay and benefits-in-kind. It does not include severance payments, 
employer pension contributions or the Cash Equivalent Transfer Value 
(CETV) of pensions. 


In common with other public sector organisations, the ICO has adhered 
to government pay restraint policies. 


Accountability report: Remuneration report 49 


O Accountability Report Annual Report 2016/17 


Pension Benefits (audited) 


Accrued pension at 


pension age as at 
31 March 2017 and 
related lump sum 


£'000 


Real increase in 
pension and CETV at 
related lump sum 31 March 


CETV at 
31 March 
2016 


Real 
increase in 
CETV 


Elizabeth Denham 
Information Commissioner 


Christopher Graham 
Information Commissioner 
(left scheme prior to end 
of employment) 


Simon Entwisle 
Director of Operations/ 
Deputy CEO 


40-45 plus lump 
sum 130-135 


Paul Arnold 
Deputy Chief Executive 
Officer 


10-15 plus lump 
sum 35-40 


Rob Luke 
Deputy Commissioner 
(Policy) 


15-20 plus lump 
sum 40-45 


Steve Wood 
Deputy Commissioner 
(interim) 


David Smith 
Deputy Commissioner 
and Director for DP 


Graham Smith 
Deputy Commissioner 
and Director for FOI 


at pension age 2017 
£'000 £'000 
0-2.5 33 
0-2.5 plus lump 
sum 2.5-5 0008 
0-2.5 plus lump 
sum 2.5-5 290 
0-2.5 plus lump 
sum 2.5-5 218 
0-2.5 139 


The CETV figures are provided by MyCSP, the ICO’s Approved Pensions 
Administration Centre, who have assured the ICO that they have been 
correctly calculated following guidance provided by the Government 


Actuary's Department. 


50 Accountability report: Remuneration report 


Annual Report 2016/17 Accountability Report O 


Partnership pensions 


There were no employer contributions to partnership pension accounts in the 
year for the above staff. 


Civil service pensions 


Further details about the Civil Service pension arrangements are available at 
www .civilservice.gov.uk/pensions. 


Cash Equivalent Transfer Values 


A CETV is the actuarially assessed capitalised value of the pension scheme 
benefits accrued by a member at a particular point in time. The benefits 
valued are the member's accrued benefits and any contingent spouse's 
pension payable from the scheme. It represents the amount paid made by 
a pension scheme or arrangement to secure pension benefits in another 
pension scheme arrangement when the member leaves a scheme and 
chooses to transfer the benefits accrued in their former scheme. 


The pension figures shown relate to the benefits that the individual has 
accrued as a consequence of their total membership of the pension scheme, 
not just their service in a capacity to which disclosure applies. 


The figures include the value of any pension benefit in another scheme or 
arrangement that the individual has transferred to the Civil Service pension 
arrangements. They also include any additional pension benefit accrued to 
the member as a result of their purchasing additional pension benefits at 
their own cost. CETV's are worked out in accordance with The Occupational 
Pensions Schemes (Transfer Values) (Amendment) Regulations 2008 and 

do not take account of any actual or potential reduction to benefits resulting 
from Lifetime Allowance Tax which may be due when pension benefits 

are taken. 


Real increase in CETV 


This reflects the increase in CETV that is funded by the employer. It does not 
include the increase in accrued pension due to inflation, contributions paid by 
the employee (including the value of any benefits transferred from another 
pension scheme or arrangement) and uses common market valuation factors 
for the start and end of the period. 


Number of senior civil service staff (or equivalent) by band 


The Information Commissioner, the two Deputy Commissioners, the Deputy 
Chief Executive Officer and the Non-executive Directors are the only staff 
categorised as being at a grade equivalent to the senior civil service. 


Staff numbers and costs (split between permanent and short 
term contract/agency sta 


As at 31 March 2017 the ICO had 472 permanent staff (439.4 full time 
equivalents). The average number of permanent staff over the year was 460 
(426.4 full time equivalents). 


During 2016-17 the ICO employed an average of nine other staff 
(eg temporary or agency) (8.6 full time equivalents). 
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Staff costs comprise: 


Permanently 

employed staff Others 2016/17 Total 
£7000 £7000 £7000 
Wages and salaries 12,368 238 12,606 
Social security costs 1,173 = 1,173 
Other pension costs 2,487 — 2,487 
Sub-total 16,028 238 16,266 

Less recoveries in respect of = 
outward secondments (213 (91) 
Total net costs 15,937 238 16,175 


Staff composition 


As of the end of this financial year there were eight members of the 
Management Board of whom four were male and four female. 


Across the ICO as a whole 39% of staff were male and 61% female. 


Sickness absence 


The average number of sick days taken per person during the year was six 
days (2015-16: 5.6 days). 


Staff policies relating to the employment of disabled persons 


The ICO's recruitment processes ensure that shortlisting managers only 
assess the applicant's skills, knowledge and experience for the job. 
All personal information is removed from applications before shortlisting. 


The ICO applies the Disability Confident standard for job applicants who 
are disabled. It has also assisted in the continued employment of disabled 
people by providing a work environment that is accessible and equipment 
that allows people to perform effectively. Our disabled staff are given 

equal access to training and promotion opportunities and adjustments are 
made to work arrangements, work patterns and procedures to ensure that 
people who are, or become, disabled, are treated fairly and can continue to 
contribute to the ICO's aims. 


2015/16 Total 
£'000 
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Expenditure on consultancy 

During 2016-17 there has been no expenditure on consultancy as defined 
in Cabinet Office spending controls guidance. 

Off-payroll engagements 


There were no off payroll engagements during 2016-17. 


Exit packages (audited) 

There were no exit packages paid in the year (2015-16: nil). 

Redundancy and other departure costs are paid in accordance with the 
provisions of the Civil Service Compensation Scheme, a statutory scheme 
made under the Superannuation Act 1972. Exit costs are accounted for 
in full in the year of departure. Where the Information Commissioner has 
agreed early retirements the additional costs are met by the Information 
Commissioner and not by the Principle Civil Service Pension Scheme 


(PCSPS). Ill health retirement costs are met by the pension scheme and 
are not included in the table above. 


There were no compulsory redundancies in the year (2015-16: none). 


Ex-gratia payments made outside of the provisions of the Civil Service 
Compensation Scheme are agreed directly with the Treasury. 


Regularity of expenditure (audited) 


There are no regularity of expenditure issues. 


Fees and charges (audited) 


Information on fees collected from data controllers who notify their 
processing of personal data under the DPA is provided as part of the 
performance report earlier in this document. 


Remote contingent liabilities 


Please see note 16 to the accounts. 
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Long-term expenditure trends 


During 2017-18 the ICO faces the challenge of not only maintaining its 
performance in processing work arising from its current responsibilities under 
the DPA, but must also prepare for major changes to its data protection work 
with the introduction of the GDPR and LED in May 2018. This represents a 
major change in data protection legislation which will have a large impact, 
not only on the duties and responsibilities of data controllers and the rights 
of individual citizens, but also on how the ICO works as a regulator. 


The Government's impact assessment suggests the additional work has the 
potential, in the long term, to require up to a 70% increase in the office's 
budget for data protection work. From 2018-19 a new data protection 

fee structure will allow the ICO to better match fee income to the cost of 
regulation. However, in the short term (2017-18) the cost of preparing for 
these changes is estimated at being £1.6m above projected data protection 
fee income. DCMS has confirmed additional funding of £1.4m, to be re- 
paid, to help cover the projected budget shortfall during 2017-18. And the 
ICO fully anticipates finding the balance by effective management of the 
notification fee process and of expenditure during the year. 


a 


Elizabeth Denham 
Information Commissioner 
5 July 2017 
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The Certificate and Report of the 
Comptroller and Auditor General 
to the Houses of Parliament 


I certify that I have audited the financial statements of the Information 
Commissioner's Office for the year ended 31 March 2017 under the Data 
Protection Act 1998. The financial statements comprise: the Statements of 
Comprehensive Net Expenditure, Financial Position, Cash Flows, Changes in 
Taxpayers' Equity; and the related notes. These financial statements have 
been prepared under the accounting policies set out within them. I have 
also audited the information in the Remuneration and Staff Report and the 
Parliamentary Accountability Disclosures that is described in that report as 
having been audited. 


Respective responsibilities of the Board, Accounting Officer 
and auditor 


As explained more fully in the Statement of Information Commissioner's 
Responsibilities, the Board and the Accounting Officer are responsible for 
the preparation of the financial statements and for being satisfied that they 
give a true and fair view. My responsibility is to audit, certify and report on 
the financial statements in accordance with the Data Protection Act 1998. 

I conducted my audit in accordance with International Standards on Auditing 
(UK and Ireland). Those standards require me and my staff to comply with 
the Auditing Practices Board’s Ethical Standards for Auditors. 


Scope of the audit of the financial statements 


An audit involves obtaining evidence about the amounts and disclosures 

in the financial statements sufficient to give reasonable assurance that 
the financial statements are free from material misstatement, whether 
caused by fraud or error. This includes an assessment of: whether the 
accounting policies are appropriate to the Information Commissioner’s 
Office’s circumstances and have been consistently applied and adequately 
disclosed; the reasonableness of significant accounting estimates made by 
the Information Commissioner's Office; and the overall presentation of the 
financial statements. In addition I read all the financial and non-financial 
information in the Annual Report to identify material inconsistencies with 
the audited financial statements and to identify any information that is 
apparently materially incorrect based on, or materially inconsistent with, 
the knowledge acquired by me in the course of performing the audit. 

If I become aware of any apparent material misstatements or inconsistencies 
I consider the implications for my certificate. 


I am required to obtain evidence sufficient to give reasonable assurance that 
the expenditure and income recorded in the financial statements have been 
applied to the purposes intended by Parliament and the financial transactions 
recorded in the financial statements conform to the authorities which 

govern them. 
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Opinion on regularity 


In my opinion, in all material respects the expenditure and income recorded 
in the financial statements have been applied to the purposes intended by 
Parliament and the financial transactions recorded in the financial 
statements conform to the authorities which govern them. 


Opinion on financial statements 
In my opinion: 


e the financial statements give a true and fair view of the state of the 
Information Commissioner's Office's affairs as at 31 March 2017 and 
of the net expenditure for the year then ended; and 


e the financial statements have been properly prepared in accordance 
with the Data Protection Act 1998 and Secretary of State directions 
issued thereunder. 


Opinion on other matters 
In my opinion: 


e the part of the Remuneration Report and Staff Report and the 
Parliamentary Accountability disclosures to be audited has been properly 
prepared in accordance with Secretary of State directions made under the 
Data Protection Act 1998; and 


e the information given in the Performance Report and Accountability Report 
for the financial year for which the financial statements are prepared is 
consistent with the financial statements. 


Matters on which I report by exception 


I have nothing to report in respect of the following matters which I report to 
you if, in my opinion: 


e adequate accounting records have not been kept or returns adequate for 
my audit have not been received from branches not visited by my staff; or 


e the financial statements and the part of the Remuneration and Staff 
Report and the Parliamentary Accountability disclosures to be audited are 
not in agreement with the accounting records and returns; or 


e I have not received all of the information and explanations I require for 
my audit; or 


e the Governance Statement does not reflect compliance with HM Treasury's 
guidance. 


Report 


I have no observations to make on these financial statements. 


Sir Amyas C E Morse 
Comptroller and Auditor General 
7 July 2017 


National Audit Office 

157-197 Buckingham Palace Road 
Victoria 

London, SWiW 9SP 
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Statement of comprehensive net expenditure 
for the year ended 31 March 2017 


2016/17 2015/16 

Note £000 £000 £000 £000 
Expenditure 
Staff costs 3 16,175 14,316 
Other expenditure 7,176 6,724 
Depreciation and other non-cash costs 4 1,745 8,921 2,162 8,886 
Total expenditure 25,096 23, 202 
Income 
Income from activities 5a (20,157) (17,819) 
Net expenditure 4,939 5,383 
Other comprehensive expenditure 
Net gain on revaluation of property, (435) (128) 
O O e tera elo ee o ae E 
Total comprehensive expenditure 4,504 daa 


for the year ended 31 March 


All income and expenditure relates to continuing operations. 
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Statement of financial position 
as at 31 March 2017 


31 March 2017 31 March 2016 

Note £000 £000 £000 £000 
i EL ree 3 ee A A ER ER EAD aan 
o ; ae sa Da eee EO ER CR O pe KERES E E 5 A DR RN ye oe i es BE Or NON 
sia A cece nme ela ce ares De Ne E A rd REAR e EOS de SERIES DS ee a: 
Total non-current assets 1,826 2,460 
Current assets 
eee eae me ee A Fe BERRO Dat ee heat RR SEE 
E Ri ae TC ON NR RS oa ie OSOS Be ae E EOS aq 7 A or 
Total current assets 4,707 5,199 
Total assets 6,533 7,659 
Current liabilities 
EN E iodo E = cid a Si RR Bee en Ee ene ae oa as ; 
n = E AO Ae ERNE E Be SR e NT ; Ss NUR ce nt | SN E 
a ere 3,632 3,560 
Non-current liabilities 
as = FRR FRUE LSE SEE DRE E SEE 3 EA BER IKE A AE ec a e a a E E : 
Assets less liabilities 2,982 3,506 
Taxpayers’ equity 
ERR RR eras cre a SNORE NEN Ra ARON SENER TRES ER E Ad, j aE 
da ee Bac el eee A cui UMa ERR SR PRA SÅ = BSS sec aE ce e Eo _ on 

2,982 3,506 


ad /— 


Elizabeth Denham 
Information Commissioner 
5 July 2017 
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Statement of cash flows 
for the year ended 31 March 2017 


2016/17 2015/16 

Note £7000 £7000 
ao iO a a e ERE] 
en ES TO a SS) RR os 
CR nee A NR eR ie ee are A er ee Pies een SOEs 
er RE a a É e Å SO E SEAN AOR TE RO el E LER: 7 AAR a E a sn à 
a A RE aA me a Co e ED 
ee SD A o SEE erne AS = do la) å 
Net cash outflow from operating activities (1,880) (3,493) 
Cash flows from investing activities 
ra ICO: : Rs Cee RR o 
See pees 2 E e E OR TE TE lr ER a ia OSOS ae : 
Net cash outflow from investing activities (678) (864) 
Cash flows from financing activities 
a uremic rane eg a o Psa nance a 
Net cash flows from financing activities 3,790 3,731 
Net increase/(decrease) in cash and cash equivalents during 
the year before adjustment for receipts and payments to the 
Consolidated Fund 17232 (626) 
a i Cn SER ee SEE = Re SF RS ne RO ae T E a ten Es 
of the Information Commissioner’s activities 2,384 1,563 
és a BE Bee ae ae : es i a e É a ae P LTT OE A Ace a tor AR eons peer aren A i 
Net increase/(decrease) in cash and cash equivalents in the year 821 109 
after adjustment for receipts and payments to the consolidated fund 
Cash and cash equivalents at the start of the year 2,808 2,699 
Cash and cash equivalents at the end of the year 10 3,629 2,808 
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Statement of changes in taxpayers’ equity 
for the year ended 31 March 2017 


Revaluation General Total 
reserve reserve reserves 
Note £000 £000 £7000 
Balance at 31 March 2015 266 4,574 4,840 
Changes in tax payers’ equity 2015/16 
Grant in aid from the DCMS 3,731 3,721 
Transfers between reserves (289) to 289 en FE 
Comprehensive expenditure for the year 128 (5388) (5255) 
Non-cash charges - Information Commissioner's salary costs 5 190 190 
Balance at 31 March 2016 105 3,401 3,506 
Changes in tax payers’ equity 2016/17 
Grant in aid from the DCMS is 3,790 3,790 
Transfers between reserves (217) 2231 7/ — 
Comprehensive expenditure for the year 435 (4,939) (4,504) 
Non-cash charges - Information Commissioner's salary costs 3 190 190 
Balance at 31 March 2017 828 2,659 2,982 
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Notes to the accounts 


1. Statement of accounting policies 


These financial statements have been prepared in accordance with 
the 2016-17 FReM issued by HM Treasury. The accounting policies 
contained in the FReM apply International Financial Reporting 
Standards (IFRS) as adapted or interpreted for the public sector 
context. Where the FReM permits a choice of accounting policy, 
the accounting policy which is judged most appropriate to the 
particular circumstances of the Information Commissioner for 

the purpose of giving a true and fair view has been selected. 

The particular policies adopted by the Information Commissioner 
are described below. They have been applied consistently in 
dealing with items that are considered material to the accounts. 


1.1 Accounting convention 
These accounts have been prepared under the historical cost 
convention modified to account for the revaluation of property, 
plant and equipment and intangible assets at their value to the 
business by reference to current costs. 


1.2 Disclosure of IFRSs in issue but not yet effective 
The Information Commissioner has reviewed the IFRS in issue but 
not yet effective (as below), and has determined that there is a new 
standard that is likely to have a significant impact. 


Standard Impact 


IAS 12 - Recognition of Deferred Tax Assets for Not applicable 
Unrealised Losses 


IFRS 15 - Revenue from Contracts with Not applicable 
PE A dd LN erate nt ne rent cc ROR AC erie ee 
S NaCara ue Not applicable 

IFRS 2 - Classification and Measurement of Not applicable 


Share-based Payment Transactions 


IFRS 4 - Applying IFRS 9 Financial Instruments Not applicable 
with IFRS 4 Insurance Contracts 


IFRS 16 - Leases Due to be implemented in 
January 2019. This standard 
will impact on the accounting 
treatment of any current leases 
and will have a material effect 
on the accounts of the ICO. 

All leases will be required to be 
presented on the Statement of 
Financial Position. 
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1.3 


1.4 


1.5 
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Grant in aid 

Grant in aid is received from the DCMS to fund expenditure on 
freedom of information work, and is credited to the General Reserve 
on receipt. 


Cash and cash equivalents 

Cash and cash equivalents recorded in the Statement of Financial 
Position and Statement of Cash Flows include cash in hand, 
deposits held at call with banks, other short-term highly liquid 
investments and bank overdrafts. 


Income from activities and Consolidated Fund income 

Income collected under the DPA is surrendered to the DCMS as 
Consolidated Fund income, unless the DCMS (with the consent of the 
Treasury) has directed otherwise, in which case it is treated as Income 
from activities. There are three main types of income collected: 


Data protection notification fees 

Fees are collected from annual notification fees paid by data 
controllers required to notify their processing of personal data under 
the DPA. The Commissioner has been directed to retain the fee 
income collected to fund data protection work and this is recognised 
in the Statement of Comprehensive Net Expenditure as income. At the 
end of each year the Commissioner may carry forward to the following 
year sufficient fee income to pay year end creditors. Any fees in 
excess of these limits are paid over to the Consolidated Fund. 


Civil monetary penalties 

The Commissioner can impose civil monetary penalties of up to £500k 
for serious breaches of the DPA or PECR. A penalty can be reduced by 
20% if paid within 30 days of being issued. 


The Commissioner does not take action to enforce a civil monetary 
penalty unless, and until, the period specified in the notice as to when 
the penalty must be paid has expired and the penalty has not been 
paid, all relevant appeals against the monetary penalty notice and any 
variation of it have either been decided or withdrawn, and the period 
for the data controller to appeal against the monetary penalty and any 
variation of it has also expired. 


Civil monetary penalties collected by the Commissioner are 

recognised on an accruals basis when issued. They are paid over 

to the Consolidated Fund net of any early payment reduction when 
received. Civil monetary penalties are not recognised in the Statement 
of Comprehensive Net Expenditure but are treated as an asset and a 
liability in the Statement of Financial Position. 


The amounts recognised are regularly reviewed and subsequently 
adjusted in the event that a civil monetary penalty is varied, cancelled, 
impaired or written off as irrecoverable. Amounts are written off as 
irrecoverable on the receipt of legal advice. Legal fees incurred in 
recovering debts are borne by the ICO. 
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1.6 


1.7 


1.8 


1.9 


Sundry receipts 

The Commissioner has been directed to retain certain sundry receipts 
such as reimbursed travel expenses, conference fees and recovered 
legal costs. This is recognised in the Statement of Comprehensive Net 
Expenditure as income. 


The Commissioner has interpreted the FReM to mean that she is 
acting as a joint agent with the DCMS, and that income not directed 
to be retained as Income from Activities falls outside of normal 
operating activities and are not reported through the Statement of 
Comprehensive Net Expenditure, but disclosed separately within the 
notes to the accounts. This included receipts such as bank interest, 
which is paid to the Consolidated Fund. 


Notional costs 

The salary and pension entitlement of the Information Commissioner 
are paid directly from the Consolidated Fund and are included 

within staff costs and then reversed with a corresponding credit to 
the General Reserve. 


Pensions 
Past and present employees are covered by the provisions 
of the PCSPS. 


Property, plant and equipment 

Assets are classified as property, plant and equipment if they are 
intended for use on a continuing basis, and their original purchase 
cost, on an individual basis, is £2,000 or more; except for laptop and 
desktop computers which are capitalised even when their individual 
cost is below £2,000. 


Property, plant and equipment (excluding assets under construction) 
are carried at fair value. Depreciated modified cost is used as a proxy 
for fair value by using appropriate indices published by the Office 

for National Statistics due to the short length of the useful life of 
information technology and furniture and fittings, and the low values 
of items of plant and machinery. 


At each balance sheet date the carrying amounts of property, 

plant and equipment and intangible assets are reviewed to determine 
whether there is any indication that those assets have suffered an 
impairment loss. If any such indication exists the fair value of the 
asset is estimated in order to determine the impairment loss. 

Any impairment charge is recognised in the Statement of 
Comprehensive Net Expenditure account in the year in which it occurs. 


Depreciation 

Depreciation is provided on property, plant and equipment on a 
straight-line basis to write off the cost or valuation evenly over the 
asset’s anticipated life. A full year’s depreciation is charged in the year 
in which an asset is brought into service. No depreciation is charged 

in the year of disposal. The principal lives adopted are: 


Information technology: between five and 10 years 
Plant and machinery: between five and 10 years 
Leasehold improvements: over the remainder of the property lease 
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1.10 Intangible assets and amortisation 
Intangible assets are stated at the lower of replacement cost and 
recoverable amount. Computer software licences and their associated 
costs are capitalised as intangible assets where expenditure of £2,000 
or more is incurred. Software licences are amortised over their useful 
economic life which is estimated as four years or the length of the 
contract, whichever is the shorter term. 


1.11 Operating leases 
Amounts payable under operating leases are charged to the 
Comprehensive Net Expenditure Account on a straight-line basis over 
the lease term, even if the payments are not made on such a basis. 


1.12 Provisions 
Provisions are recognised when there is a present obligation as a 
result of a past event where it is probable that an outflow of resources 
will be required to settle the obligation and a reliable estimate of the 
amount of the obligation can be made. 


1.13 Value added tax 
The Information Commissioner is not registered for VAT as most 
activities of the ICO are outside of the scope of VAT and fall below 
the registration threshold. VAT is charged to the relevant expenditure 
category, or included in the capitalised purchase cost of non-current 
assets. 


1.14 Segmental reporting 
The policy for segmental reporting is set out in note 2 to the 
Financial statements. 
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2. Analysis of net expenditure by segment 


Freedom of 
information 


Freedom of 
information 


2016/17 
Total 


(20,157) 
4,939 


2015/16 
Total 


(17,919) 


Data 
protection 
£'000 
os DRE EE a A e SiO 
a O ea Aa 
Net expenditure ASS 
Data 
protection 
£'000 
Gross expenditure eee AGE 23202 
eae pd ee ee ao 
Net expenditure 1,633 


All expenditure is classed as administrative expenditure. 


The analysis above is provided for fees and charges purposes 
and for the purpose of IFRS 8: Operating Segments. 


The factors used to identify the reportable segments of data 
protection and freedom of information were that the Commissioner's 
main responsibilities are contained within the DPA and FOIA, 

and funding is provided for data protection work by collecting an 
annual registration fee from data controllers under the DPA, 

whilst funding for freedom of information is provided by a grant 

in aid from the DCMS. 


The data protection registration fee is set by the Secretary of State, 
and in making any fee regulations under section 26 of the DPA, 

as amended by paragraph 17 of Schedule 2 to the FOIA, she shall 
have regard to the desirability of securing that the fees payable to 
the Commissioner are sufficient to offset the expenses incurred by 
the Commissioner, the Information Tribunal and any expenses of the 
Secretary of State in respect of the Commissioner of the Tribunal, 
and any prior deficits incurred, so far as attributable to the functions 
under the DPA. 


These accounts do not include the expenses incurred by the 
Information Tribunal or the Secretary of State in respect of the 
Commissioner, and therefore cannot be used to demonstrate 

that the data protection fees offset expenditure on data protection 
functions, as set out in the DPA. 


Expenditure is apportioned between the data protection and freedom 
of information work on the basis of costs recorded in the ICO's 
accounting system. This allocates expenditure to various cost centres 
across the organisation. A financial model is then applied to apportion 
expenditure between data protection and freedom of information on 
an actual basis, where possible, or by way of reasoned estimates 
where expenditure is shared. This model is monitored by the DCMS. 


5,383 
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Staff numbers and related costs 


Staff costs comprise: 


2016/17 
Total 


2015/16 
Total 


Permanently 
employed staff Others 
£000 £000 
Wages and salaries 12,368 238 
Social security costs 1,173 
Other pension costs 2,487 
Sub-total 16,028 238 
Less recoveries in respect of outward 
(91) = 
secondments 
Total net costs 1157937 238 


Included in staff costs above are notional costs of £190k (2015- 

16: £190k) in respect of salary and pension entitlements of the 
Information Commissioner and the associated employers national 
insurance contributions which are paid directly from the Consolidated 
Fund, temporary agency staff costs of £238k (2015-16: £345k) as 
well as the amounts relating to senior managers disclosed in the 
Remuneration Report. 


Average number of persons employed 
The average number of whole time equivalent persons employed 
during the year was: 


Permanently Temporarily 
employed employed 


2016/17 
Total 


2015/16 
Total 


staff staff 
En dee EGER PAD oe Oe rors 
eas ee (I ete eee Re PERENE DO RE SEKS] 
Total employed 422 12.6 


Pension arrangements 

The PCSPS is an unfunded multi-employer defined benefit scheme. 
The ICO is unable to identify its share of the underlying assets and 
liabilities. The Scheme Actuary valued the scheme at 31 March 2012. 
Details may be found in the resource accounts of the Cabinet Office 
Civil Superannuation (www.civilservice.gov.uk/pensions). 


For 2016-17 employers contributions of £2,392k (2015-16: £2,102K) 
were payable to the PCSPS at one of four rates in the range 20-24.5% 
of pensionable pay, based on salary bands. The Scheme's Actuary 
reviews employer contributions usually every four years following a 
full Scheme valuation. The contribution rates are set to meet the 

cost of benefits accruing during 2016-17 to be paid when the member 
retires and not the benefits paid during the period to 

existing pensioners. 
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Employees can opt to open a partnership account, a stakeholder 
pension with an employer contribution. Employers’ contributions of 
£78k (2015-16: £65k), were paid to one or more of a panel of three 
appointed stakeholder pension providers. Employers’ contributions 
are age related and range from 8% to 14.8% of pensionable pay. 

In addition, employers contributions of £2.5k (2015-16: £2k), 0.5% 
of pensionable pay, were payable to the PCSPS to cover the cost 

of future provision of lump sum benefits on death in service and ill 
health retirement of these employees. 


Contributions due to partnership pension providers at the Statement 
of Financial Position date were £6.6k (2015-16 £6.6k). 
Contributions prepaid at the date were £nil (2015-16 £nil). 

Pension costs include notional employers’ contributions of 

£23k (2015-16: £34k) in respect of notional costs in respect of 

the Commissioner. 


No individuals retired early on health grounds during the year. 


4. Other expenditure 


2016/17 2015/16 
£'000 £'000 £'000 £'000 
Ra See RE BER REE AO E A a E O er ene 
ee ee ere te 
Se O ee RR 
ARE à é : 7, = ae ene E TR aN ich GADO a RANA ESTER Manan : A A ae o ERA Oke 
E ee ee SER VA IRON E EN na i er ae OS ONES 
E e ieee La e A aie RE i F E A ES : E ds 
O ea dE T : RE na sen ee 
pa ete CEPE ed e RA aetna E pe ee ee A aR ee 
Rc Cs AES ee eae age ane BA 
eee ee PA ON RE 
o i E Le = É E E IN I A EØS KEE: a SALI RR CU tee E Es A ee 
a eae ie et eee 
eee 2 É AA RUD ER RCD RE A RENDA ORTO AR : E ad A i É KREMER Me a 
7,176 6,724 

Non-cash items 
e SS O SR Rg ond O ate 
OES ee E E See 
Rn ee er oa a E 
1,745 2,162 
Total expenditure 8,921 8,886 
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Income 


Income from activities 
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Sundry receipts 
Total 


Consolidated Fund income 


Retained under direction as Income from 
Activities 


Cancelled after successful appeals 
Re-issued after appeal 
Impairments 


Sundry receipts 


Income receipts under the Data Retention 
and Investigatory Powers Act 


Sundry receipts retained under direction as 
Income from Activities 


Income payable to Consolidated Fund 


Balances held at the start of the year 


Payments to the Consolidated Fund 


Balances held at the end of the 
year (note 11) 


2016/17 
£7000 £000 
19,729 
428 
20,157 
2016/17 
£'000 £'000 
19,729 
(19,729) 
87556 
(381) 
302 
(1,557) 
1,920 
27 
22 
49 
330 
428 
(428) 
1,920 
1,967 
1,920 
(2,795) 
1,092 


2015/16 
£'000 £'000 
17,403 
416 
17,819 
2015/16 
£'000 £'000 
18,311 
(17,403) 
908 
2,529 
(142) 
(815) 
— 1,572 
Y 
22 
57 
330 
416 
(416) 
2,480 
315 
2,480 
(828) 
1,967 
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As set out in note 1.5, income payable to the Consolidated Fund does 
not form part of the Statement of Comprehensive Net Expenditure. 
Amounts retained under direction from the DCMS with the consent of 
the Treasury are treated as Income from Activities within the Statement 
of Comprehensive Net Expenditure. The amounts receivable at 31 March 
2017 were £595k (2015-16:£1,059k) and the amounts payable were 
£1,092k (2015-16:£1,967k). 


6. Property, plant and equipment 


Assets 
Information Plant and Leasehold under 2017 2016 
technology machinery improvements construction Total Total 
£7000 £7000 £7000 £7000 £7000 £7000 
SE ae i = E AR ENO jam do O Ao a SA o PROA OS 
od a a Pe ne ee i a Rae oe a A eS Pete fou ane PE 
ie REN RENEE DE RE oo uP Pe SUR aD i ay Eee ree i i O pe RR ål ER Sie 
a a o 
ee as ee RUSEN RES al | o ae, G en 
a e RR RS so E eee : e TS ua 
At31 March 2017 7,778 193 2381 750 11,102 10,511 
Depreciation 
e O no E i SE A oo eee Aes ae Reece ee 
ee ee rere am ds o aad I ae ean ee 335 are aor 
a ee do o ieee ee 
ee Re REE NEDE MENS ERE ; E RAD GRASS RS Ee ig aoe ee o 
At 31 March 2017 6,990 149 2,381 = 97520 S) 07 
dd a 788 44 = 750 1,582 1,404 
Owned 
Net book Valun at 788 44 = 750 1,582 1,404 


31 March 2017 


Property, plant and equipment (excluding assets under construction) 
are re-valued annually using appropriate current cost price indices 
published by the Office for National Statistics. 


Included above are fully depreciated assets, in use with a gross 
carrying amount of £21k (2015-16: £5,113K). 
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Software 
licences 


Reclassifications 
At 31 March 2017 


Amortisation 


Disposals 
At 31 March 2017 


Net book value at 31 March 2017 


Asset financing 


Net book value at 31 March 2017 


Financial instruments 


2017 2016 
Total Total 
£'000 £'000 
3,370 3,320 
10 76 

E (26) 
3,380 37370 
2,314 17519 
822 821 

= (26) 
3,136 2,314 
244 1,056 
244 1,056 
244 1,056 


As the cash requirements of the Information Commissioner are met 
through fees collected under the DPA and grant in aid provided by the 
DCMS, financial instruments play a more limited role in creating and 


managing risk than would apply to a non-public sector body. 


The majority of financial instruments relate to contracts to buy non- 
financial items in line with the Information Commissioner's expected 
purchase and usage requirement and the Information Commissioner 


is therefore exposed to little credit, liquidity or market risk. 


The Information Commissioner does not face ficant medium to long- 


term financial risks. 
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9. Trade receivables and other 
current assets 


31 March 31 March 
2017 2016 
£000 £7000 
Rone Paina 3 FE a ae pee : es AS 
a eg a EDC EEE SETS SEE CERES o 
pe ER A UR OR AR E PY TCI E 
PR ae ae AI A ee 
Sub-total 483 1332 
å ae ee ; E o a oc E RA a = PAY Ma NR Tor aa e 7 PAR po PR Es 
PER ERR ND AE pd eas Sn Se REN FUER RENNER 
1,078 2350] 

Split 
ES a É a E ia oro Lacio: E a OS E A 
a a ee 
E a e . eee Fer eet ere Gere er Ae SEE ae 3 å ene Genco SENE SE Fer a É o 
1,078 2 9J 


10. Cash and cash equivalents 
31 March 31 March 


2017 2016 

£000 £000 

a earn ga 

se I s21 19 

Balance at 31 March 3,629 2,808 
Split 

KOR cps IEE NEE A T S gee 

E E : a = E É å aye PESAR es oo er EE ee e ae å É RCA i | ae É 

57629 2,808 
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31 March 
2017 


31 March 
2016 


Accruals and deferred income 
Sub-total 


Bodies external to government 


The amount payable to the sponsor department represents the 
amount which will be due to the Consolidated Fund when all of 


the income due is collected. 


Provision for liabilities and charges 


Early departure costs 


Provision utilised in year 
Balance at 31 March 


Analysis of expected timing of 
discounted flow: 


2016/17 2015/16 
£7000 £7000 
63 62 

— 10 

(9) (9) 

54 63 


Early departure costs 


Later than one year and not later than 
five years 


Later than five years 


Dilapidations 
2016 /17 2015/16 
£'000 £'000 
605 510 
= 95 
605 605 
Dilapidations 
2016/17 2015/16 
£'000 £'000 
= 605 
605 = 
605 605 


2016/17 2015/16 
£'000 £'000 

9 9 

45 54 

54 63 
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Dilapidations provision 

The lease on the ICO main premises at Wycliffe House, Wilmslow 
expired on 1 January 2017 and a new lease signed with a break clause 
in five years. A provision has been made based upon the assessment 
by GVA, commercial property advisers, dated January 2013 and 
updated to recent prices. 


Early departure costs 

The additional cost of benefits, beyond the normal PCSPS benefits in 
respect of employees who retire early, are provided for in full when 
the early departure decision is approved by establishing a provision 
for the estimated payments discounted by the Treasury discount rate 
of 0.24% (2015-16: 1.37%). The estimated payments are provided 
by MyCSP. 


13. Capital commitments 


There were no capital commitments in the year ending 31 March 2017 
(2015-16 £nil). 


14. Commitments under operating leases 


The ICO leases properties in Wilmslow and Belfast under non- 
cancellable operating lease agreements. The lease in Wilmslow allows 
for a break clause on 01 January 2022 and Belfast on 04 February 
2018. Both leases have no option to purchase and no specific renewal 
terms. Renewals are negotiated with the lessor in accordance with the 
provisions of the individual lease agreements. 


31 March 31 March 

2017 2016 

Total future minimum lease payments 2000 2000 

under operating leases are: 

Buildings 

Not later than one year 384 571 

nn than one year and not later than 2,311 22 
ve years 

Later than five years = = 

2,695 598 


The minimum lease payments are determined from the relevant lease 
agreements and do not reflect possible increases as a result of market 
based reviews. The lease expenditure charged to the Statement of 

Comprehensive Net Expenditure during the year is disclosed in note 4. 
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15. Related party transactions 


The Information Commissioner confirms that she had no personal 
business interests which conflict with her responsibilities as 
Information Commissioner. 


During the financial year 2016-17 the DCMS was a related party to 
the Information Commissioner. 


During the year no related party transactions were entered into, with 
the exception of providing the Information Commissioner with grant 
in aid and remitting receipts collected on behalf of the Consolidated 
Fund. Details of the Commissioner’s remuneration and pension 
entitlement are disclosed in the remuneration report earlier in the 
document and note 3 to the Financial Statement. 


None of the key managerial staff or other related parties has 
undertaken any material transaction with the Information 
Commissioner during the year. 


16. Contingent Liabilities 


There are no contingent liabilities at 31 March 2017 (2016: none). 


17. Events after the reporting period 


There were no events between the Statement of Financial Position 
date and the date the accounts were authorised for issue, which is 
interpreted as the date of the Certificate and Report of the Comptroller 
and Auditor General. 
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